Query parameter signing

Sign your URL query parameters

Your signature helps prove authenticity, and by adding a signature to your URL, this helps prevent imposters pretending to be you.

How to generate a signature

Compute a hash-based authentication code (HMAC) with a SHA-256 hash function. Use your private key as the key and address as input.

Be sure to always generate signatures from your server side application and never from the client as it would leak the private key.

All query parameters and their values need to be URL encoded to ensure signature generation works.

Examples

Signing walletAddress

import crypto from "crypto";

const url = 'https://blockchain.com/pay/widget'
const walletAddress = "address";

const walletAddressSignature = crypto
    .createHmac("sha256", "secret-api-key")
    .update(walletAddress)
    .digest("hex");

const finalUrl = `${url}?walletAddress=${walletAddress}&walletAddressSignature=${walletAddressSignature}`

Signing redirectUrl

import crypto from "crypto";

const url = 'https://blockchain.com/pay/widget'
const redirectUrl = "https://example.com/?additionalParam=data";

const encodedRedirectUrl = encodeURIComponent(redirectUrl);
const redirectUrlSignature = crypto
    .createHmac("sha256", "secret-api-key")
    .update(encodedRedirectUrl)
    .digest("hex");

const finalUrl = `${url}?redirectUrl=${encodedRedirectUrl}&redirectUrlSignature=${redirectUrlSignature}`

Don't forget to add your apiKey to the URL. Contact your account representative for how to access your secret API key.

Last updated 1 year ago